[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HTTP intercept, with a twist
In message <178639720.1068210404@[192.168.1.44]>, Harald Tveit Alvestrand write
s:
>Router vendor inspired by Verisign?
>
><http://www.theregister.co.uk/content/69/33858.html>
>
A new form of evil... To me, that's a monkey-in-the-middle attack.
It's also a very good reason to tunnel one's http traffic to somewhere
beyond the reach of such nonsense.
I'm going to do what I can to publicize this, in the hope that they
take a *big* financial hit from having to recall those units. These
people are slime. Verisign could at least argue that they were only
intervening in an error situation.
I also wonder how they do the opt-out. Is their server resetting some
config flag in the "router"? With what security? Or does the Belkin
URL always go to their site, with the real URL tagged along? In that
case, they're eavesdropping on communications.
--Steve Bellovin, http://www.research.att.com/~smb